From 0f48ba7b8489770629f1b951a859e719666616ce Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 14 Aug 2020 19:58:37 +0200 Subject: [PATCH] nspawn: provide $container and $container_uuid in /run/host too This has the major benefit that the entire payload of the container can access these files there. Previously, we'd set them only as env vars, but that meant only PID 1 could read them directly or other privileged payload code with access to /run/1/environ. --- src/basic/virt.c | 10 ++++++++++ src/nspawn/nspawn.c | 8 ++++++++ 2 files changed, 18 insertions(+) diff --git a/src/basic/virt.c b/src/basic/virt.c index 4c2280cfd6..212b3b7039 100644 --- a/src/basic/virt.c +++ b/src/basic/virt.c @@ -491,6 +491,16 @@ int detect_container(void) { } } + /* The container manager might have placed this in the /run/host hierarchy for us, which is best + * because we can be consumed just like that, without special privileges. */ + r = read_one_line_file("/run/host/container-manager", &m); + if (r > 0) { + e = m; + goto translate_name; + } + if (!IN_SET(r, -ENOENT, 0)) + return log_debug_errno(r, "Failed to read /run/systemd/container: %m"); + if (getpid_cached() == 1) { /* If we are PID 1 we can just check our own environment variable, and that's authoritative. * We distinguish three cases: diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index c263b0ff70..3ad8829855 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3564,6 +3564,14 @@ static int outer_child( if (r < 0) return r; + /* The same stuff as the $container env var, but nicely readable for the entire payload */ + p = prefix_roota(directory, "/run/host/container-manager"); + (void) write_string_file(p, arg_container_service_name, WRITE_STRING_FILE_CREATE); + + /* The same stuff as the $container_uuid env var */ + p = prefix_roota(directory, "/run/host/container-uuid"); + (void) write_string_filef(p, WRITE_STRING_FILE_CREATE, SD_ID128_UUID_FORMAT_STR, SD_ID128_FORMAT_VAL(arg_uuid)); + if (!arg_use_cgns) { r = mount_cgroups( directory, -- 2.25.1